Security EventID 676

Posted on 2004-11-03
Last Modified: 2008-09-09
Currently the eventlogs on our Win2k SP4 server has a number of security logs in the middle of the night and they are referenceing eventID 676 with the info below.

Authentication Ticket Request Failed:
       User Name:      barbara
       Supplied Realm Name:      FNBHAYS.COM
       Service Name:      krbtgt/FNBHAYS.COM
       Ticket Options:      0x40810010
       Failure Code:      0x12
       Client Address:

The usernames vary and sometimes are blank. Logins are disable from 7pm to 7am and there is nobody present on-site etc.

Any insight would be appreciated on what may be happening
Question by:nextech01
    LVL 7

    Accepted Solution

    Sometimes a logon fails not because of a bad password but because the user mistyped the username or tried to guess someone else's username.
    If a logon fails because of an invalid username, Windows 2000 logs event ID 676 (authentication ticket request failed) with Failure Code 6. This event is another important logon auditing advance because in NT you can't distinguish logons that failed because of a bad password from logons that failed because of a bad username. Windows 2000 uses event ID 676 with other failure codes to identify several other types of failed-logon situations.

    Failure Code 12 indicates the logon failed because of time-of-day or workstation restrictions. Failure Code 18 signifies that the account was locked out because of failed logons, disabled by the administrator, or expired.
    Failure Code 23 means the user's password had expired.
    Failure Code 37 occurs when a workstation's clock was too far out of synchronization with the DC's clock.

    See Audit Account Logon Events for more details.

    Author Comment

    I would agree that  it is a failed user logon but when this is happening there is no one on-site because it happens in the middle of the night a lot of times, I have included another bit from one of the logged events;

    Service Ticket Request Failed:
           User Name:      FNBPDC$
           User Domain:      FNBHAYS.COM
           Service Name:      krbtgt/FNBHAYS.COM
           Ticket Options:      0x2
           Failure Code:      0x20
           Client Address:

    In this case the server name is FNBHAYS and happened at 5:17am and what is confusing is the username FNBPDC$ which may be a service but it is occuring on this server named FNBPDC.


    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    By default, Carbonite Server Backup manages your encryption key for you using Advanced Encryption Standard (AES) 128-bit encryption. If you choose to manage your private encryption key, your backups will be encrypted using AES 256-bit encryption.
    Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now